S74^v *. U.S. Environmental Protection Agency 12-P-0900 | \ Office of Inspector General September 27, 2012 s "V—'—J" s v\|/v S At a Glance Why We Did This Review We sought to conduct network vulnerability testing of the U.S. Environmental Protection Agency's (EPA's) National Vehicle and Fuel Emissions Laboratory (NVFEL) Local Area Network to identify resources that contained commonly known high-risk and medium- risk vulnerabilities. We also sought to assess the physical controls and environmental controls around critical information technology assets located in the NVFEL. We conducted this audit as part of the annual review of EPA's information security program as required by the Federal Information Security Management Act. This report addresses the following EPA Goal or Cross-Cutting Strategy: • Strengthening EPA's Workforce and Capabilities Results of Technical Network Vulnerability Assessment: EPA's National Vehicle and Fuel Emissions Laboratory For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.aov/oia/reports/2012/ 20120927-12-P-0900.pdf What We Found While our assessments of EPA's NVFEL server room found no weaknesses with physical controls and environmental controls, vulnerability testing of networked resources located in the NVFEL identified Internet Protocol addresses with potentially 9 critical-risk, 70 high-risk, and 297 medium-risk vulnerabilities. If not resolved, these vulnerabilities could expose EPA's assets to unauthorized access and potentially harm the Agency's network. The laboratory and the Office of Environmental Information manage the resources located in NVFEL that contained these weaknesses. We found a discrepancy between the offices concerning responsibility for certain equipment located in the NVFEL. However, NVFEL provided documentation which placed ownership responsibility with the Office of Environmental Information and Customer Technology Solutions for the devices in question. Recommendations and Agency Corrective Actions We recommend that the Senior Information Official within the Office of Air and Radiation and the Office of Environmental Information: • Provide the OIG a status update for every critical-risk, high-risk and medium-risk vulnerability identified by the technical scanning tool within 30 days of this report. • Create plans of action and milestones in the Agency's Automated Security Self-Evaluation and Remediation Tracking system for all vulnerabilities according to Agency procedures within 30 days of this report. • Perform a technical vulnerability assessment test of assigned networked resources within 60 days to confirm completion of remediation activities. We also recommend that the Senior Information Official within the Office of Environmental Information: • Disconnect any networked resources without documented ownership responsibility. • Complete an inventory of all Customer Technology Solutions equipment prior to implementation of EPA's new managed desktop support system. Representatives from both offices acknowledged the existence of the vulnerabilities and stated they have begun developing corrective actions to address the risks related to these weaknesses. NVFEL reported it remediated all high-risk vulnerabilities under its responsibility prior to the issuance of this report. The detailed testing results have already been provided to Agency representatives. Due to the sensitive nature of the report's technical findings, the technical details will not be made available to the public. ------- |